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DETAILED ACTION 

1 . Claims 21 , 22, 24-28, and 31 -51 are pending. 
Claims 1-20, 23, and 29-30 are cancelled. 

Response to Arguments 

2. Applicant's arguments filed 2/1 9/1 0 have been fully considered but they are not 
persuasive. 

Claims 43-51 remain rejected under 35 U.S.C. 101 because the claims fails to 
explicitly exclude all forms of transitory media, and thus will be interpreted as to 
encompassing signals. 

Examiner traverses the argument on pg.10 regarding claim 21, that 
Flowers does not teach or suggest at least the element of an execution are configured 
to perform operation so to examine a set of instructions embodying an invoked 
application to identify the invoked application, wherein to examine the set of instructions 
comprises to apply a hash function to the set of instructions to generate a condensed 
representation and to compare the condensed representation with existing condensed 
representation for known applications. Flowers discloses operations to examine and 
monitor invoked applications but did not clearly discuss to examine a set of instructions 
and comprises to apply a hash function to the set of instructions to generate a 
condensed representation and to compare the condensed representation with existing 
condensed representation for known applications. Naccache discloses the calculation 
operation can consist in applying a hash function, according to a technique known per 
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se in the field of data enciphering, such as the SHA-1 hash function established by 
federal hash standard. In this case it is possible to effect the aforementioned internal 
change in the running of the monitoring method by cryptographically hashing all the 
operating codes (considered as numerical values) and the addresses executed since 
the last initialization carried out (col. 5, lines 44-52). Naccache further discloses hashing 
the instructions of the program and then compared with the referenced (hash) value 
which is to correspond to the expected value (col. 9, lines 23-67). Therefore, it is 
obvious to use the hashing function of Naccache to generate a condensed 
representation of instructions in the vulnerability detection system for invoked 
applications of Flowers as it is applying a known (hash) technique to a known 
device/method ready for improvement to compare and verify the condensed 
representation with existing condensed representation for known applications 
(Naccache - col.3, lines 50-67 and col.9, lines 23-67). 

Applicant further argues on pg.1 1 , that Naccache discloses a hashing result for 
each instruction not a set of instructions. By hashing each instruction obviously result in 
hashing a set of instructions. The claimed does not specify what constitutes a set (of 
instructions). Further applicant argues that Naccache does not teach or suggest 
comparing a condensed representation with existing representations for known 
applications. Flowers being the primary prior art discloses the claimed application- 
specific intrusion signatures when specified application is detected where the 
application ID being a qualifier identifying a particular application (col.6, lines 47-col.7, 
line 21). Flowers further discusses assigns a reflex signature TO a template type (col. 5, 
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lines 53-55) and each rule is associated with a particular vulnerability ID which can be 
numerical or a name and that security engineers need to know what types of attack 
signatures to look for, how to look for them, and how to respond to an identified attack in 
vulnerability/intrusion detection systems (col.1, lines 49-53). Thus, Flowers reads on 
determining the instructions or representation for known applications. Naccache is 
brought forth to further teach the obviousness of examining the set of instructions that 
comprises hashing the set of instructions to generate a condensed representation and 
to compare the condensed representation with existing condensed representation for 
known applications. As such, Naccache states the calculation operation can consist in 
applying a hash function, according to a technique known per se in the field of data 
enciphering, such as the SHA-1 hash function established by federal hash standard 
(col .5, lines 44-52). Thus, it is obvious to use the hashing function of Naccache to 
generate a condensed representation of instructions in the vulnerability detection 
system for invoked applications of Flowers as it is applying a known (hash) technique to 
a known device/method ready for improvement to compare and verify the condensed 
representation with existing condensed representation for known applications 
(Naccache - col. 3, lines 50-67 and col. 9, lines 23-67). Therefore, the Flowers and 
Naccache combination reads on the claimed invention of claim 21 . 
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Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

3. Claims 43-51 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. The instant claims 43-51 are 
drawn to a "computer-readable medium", which in light of the disclosure, appears to 
encompass electronic signals. 
Specification: 

[0064] As used herein, the term "machine-readable medium" 
refers to any medium or device used to provide machine instructions 
and/or data to the machine 600. Examples include the medium 635, the 
memory 620, and/or PLDs, FPGAs , ASICs, and the like. The term 
"machine-readable signal" refers to any signal, such as the signals 
654, used to provide machine instructions and/or data to the machine 
600. 

Examiner notes that, the term does not appear to have been defined in the specification 
as to explicitly excluding all forms of transitory media, and thus will be interpreted as to 
encompassing signals for the purposes of examination. Neither claims nor specification 
limits the storage medium as only non-transitory nor the disavow of signals for the 
storage medium. Therefore, claims 43-51 are non-statutory, as signals do not fall under 
any of the four categories of invention. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art are such 
that the subject matter as a whole would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in 
which the invention was made. 

4. Claims 21, 22, 24-28, and 31-51 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Flowers (US 6,957,348), and further in view of Naccache (US 

7,168,065). 

As per claim 21: 

Flowers disclose a system comprising: 
a network; and (col.3, lines 55-57) 

one or more machines coupled with the network, each machine comprising a 
communication interface and a memory including an execution area configured to 
perform operations (col.3, lines 18-23 and col. 13, lines 40-45) to examine a set of 
instructions embodying an invoked application to identify the invoked application (col.3, 
lines 49-54 and col.7, lines 13-20) , wherein to examine the set of instructions 
comprises to apply a hash function to the set of instructions to generate a condensed 
representation and to compare the condensed representation with existing condensed 
representation for known applications , obtain application-specific intrusion criteria, the 
application-specific intrusion criteria including intrusion signatures and behavior criteria 
(col.6, lines 47-54 and col.8, lines 21-25), and monitor network communications for 
the invoked application for application-specific intrusion signatures and abnormal 
application behavior to detect an intrusion, (col.3, lines 45-62 and col.4, lines 4-15) 

Although, Flowers discloses operations to examine and monitor invoked 
applications but did not clearly discuss to examine a set of instructions and comprises to 
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apply a hash function to the set of instructions to generate a condensed representation 
and to compare the condensed representation with existing condensed representation 
for known applications. 

Naccache discloses the invention for monitoring the progress in execution of a 
series of instructions of a computer program to analyze and verify each of the 
instructions has indeed been loaded or executed to the processor (col. 3, lines 50-62 
and col. 8, lines 53-67). The monitoring device can be integrated into a programmed 
device which contains the program to be monitored or into a device for executing a 
program to be monitored (col. 6, lines 28-31). Naccache discloses the calculation 
operation can consist in applying a hash function, according to a technique known per 
se in the field of data enciphering, such as the SHA-1 hash function established by 
federal hash standard. In this case it is possible to effect the aforementioned internal 
change in the running of the monitoring method by cryptographically hashing all the 
operating codes (considered as numerical values) and the addresses executed since 
the last initialization carried out (col. 5, lines 44-52). Naccache further discloses hashing 
the instructions of the program and then compared with the referenced (hash) value 
which is to correspond to the expected value (col. 9, lines 23-67). 

Therefore, it is obvious to use the hashing function of Naccache to generate a 
condensed representation of instructions in the vulnerability detection system for 
invoked applications of Flowers as it is applying a known (hash) technique to a known 
device/method ready for improvement to compare and verify the condensed 
representation with existing condensed representation for known applications 
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(Naccache - col.3, lines 50-67 and col.9, lines 23-67). 

As per claim 22: See Flowers on col. 12, lines 50-57 and Naccache on col. 13, lines 
15-31 ; discussing the application-specific intrusion criteria comprises a normal 
communication behavior threshold. 

As per claim 24: See Flowers on col.3, lines 45-62 and col.4, lines 4-15; discussing 
to monitor network communications comprises monitoring network communications in a 
network intrusion detection system component running in an execution context with the 
invoked application. 

As per claim 25: See Flowers on col.3, lines 25-30 and 50-55 and Naccache on 
col. 10, lines 15-23; discussing the operations further comprise to provide an application- 
specific remedy for a detected intrusion. 

As per claim 26: See Flowers on col.3, lines 50-55 and Naccache on col. 7, lines 30- 
35; discussing to provide an application-specific remedy comprises cutting at least a 
portion of the network communications for the invoked application. 
As per claim 27: See Flowers on col.3, lines 40-55 and col.4, lines 1-30; discloses 
the system of claim 24 wherein each machine further comprises a local repository and a 
security operation center, the security operation center includes a repository, and 
wherein to obtain the application specific intrusion criteria comprises to: request the 
application-specific intrusion criteria from a local repository; request the application- 
specific intrusion criteria from the master repository if the application-specific intrusion 
criteria is unavailable in the local repository; receive the application-specific intrusion 
criteria from the master repository if requested; and receive the application-specific 
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intrusion criteria from the local repository. 

As per claim 28: See Naccache on col.9, lines 37-67; discussing the system of claim 
24 wherein to examine the set of instructions comprises: apply a hash function to the 
set of instructions to generate a condensed representation; and compare the 
condensed representation with existing condensed representations for known 
applications. 
As per claim 31: 

Flowers disclose a detection method, comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application (col.3, lines 49-54 and col. 7, lines 13-20) , wherein to examine the 
set of instructions comprises to apply a hash function to the set of instructions to 
generate a condensed representation and to compare the condensed representation 
with existing condensed representation for known applications ; 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 
(col. 6, lines 47-54 and col. 8, lines 21-25) 

monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 
(col.3, lines 45-62 and col.4, lines 4-15) 

Although, Flowers discloses operations to examine and monitor invoked 
applications but did not clearly discuss to examine a set of instructions and comprises to 
apply a hash function to the set of instructions to generate a condensed representation 
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and to compare the condensed representation with existing condensed representation 
for known applications. 

Naccache discloses the invention for monitoring the progress in execution of a 
series of instructions of a computer program to analyze and verify each of the 
instructions has indeed been loaded or executed to the processor (col. 3, lines 50-62 
and col. 8, lines 53-67). The monitoring device can be integrated into a programmed 
device which contains the program to be monitored or into a device for executing a 
program to be monitored (col. 6, lines 28-31). Naccache discloses the calculation 
operation can consist in applying a hash function, according to a technique known per 
se in the field of data enciphering, such as the SHA-1 hash function established by 
federal hash standard. In this case it is possible to effect the aforementioned internal 
change in the running of the monitoring method by cryptographically hashing all the 
operating codes (considered as numerical values) and the addresses executed since 
the last initialization carried out (col. 5, lines 44-52). Naccache further discloses hashing 
the instructions of the program and then compared with the referenced (hash) value 
which is to correspond to the expected value (col. 9, lines 23-67). 

Therefore, it is obvious to use the hashing function of Naccache to generate a 
condensed representation of instructions in the vulnerability detection system for 
invoked applications of Flowers as it is applying a known (hash) technique to a known 
device/method ready for improvement to compare and verify the condensed 
representation with existing condensed representation for known applications 
(Naccache - col.3, lines 50-67 and col .9, lines 23-67). 
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As per claim 32: See Naccache on col.9, lines 37-67; discussing the method of claim 
31 , wherein examining a set of instructions embodying an invoked application to identify 
the invoked application comprises: applying a hash function to the set of instructions to 
generate a condensed representation; and comparing the condensed representation 
with existing condensed representations for known applications. 
As per claim 33: See Flowers on col. 6, lines 47-54 and col. 8, lines 21-25; discussing 
the method of claim 31 , wherein network communications are monitored for application- 
specific intrusion signatures that correspond to the identified invoked application. 
As per claim 34: See Flowers on col. 3, lines 50-55 and Naccache on col. 7, lines 30- 
35; discussing the method of claim 31 , further comprising unloading the application- 
specific intrusion signatures corresponding to the identified invoked application when 
the identified invoked application is terminated. 

As per claim 35: See Flowers on Flowers on col. 12, lines 50-57 and Naccache on 
col.1 3, lines 1 5-31 ; discussing the method of claim 31 , further comprising tracking one 
or more characteristics of the network communications to identify application-specific 
abnormal communication behavior. 

As per claim 36: See Flowers on col. 12, lines 50-57 and Naccache on col. 13, lines 
15-31 ; discussing the method of claim 35, wherein tracking one or more characteristics 
of the network communications comprises comparing the one or more characteristics 
with one or more configurable thresholds. 

As per claim 37: See Flowers on col.3, lines 45-62 and col.4, lines 4-15; discussing 
the method of claim 35, wherein monitoring network communications comprises 
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monitoring network communications in a network intrusion detection system component 
invoked with the invoked application. 

As per claim 38: See Flowers on col.7, lines 1 1-26; discussing the method of claim 
37, wherein the network intrusion detection system component and the invoked 
application run within a single execution context. 

As per claim 39: See Flowers on col. 3, lines 25-30 and 50-55 and Naccache on 
col. 10, lines 15-23; discussing the method of claim 31, further comprising operations to 
provide an application-specific remedy for a detected intrusion. 
As per claim 40: See Flowers on col.3, lines 45-55 and Naccache on col. 10, lines 
15-23; discussing the method of claim 39, wherein operations to provide an application- 
specific remedy for a detected intrusion comprises cutting at least a portion of the 
network communications for the invoked application and/or notifying a system 
administrator of the identified application-specific abnormal communication behavior. 
As per claim 41 : See Flowers col. 6, lines 47-54 and col. 8, lines 21-25; discussing 
the method of claim 31 , wherein obtaining the application-specific intrusion detection 
signature comprises loading the application-specific intrusion detection signature from a 
local signature repository. 

As per claim 42: See Flowers on col.3, lines 40-55 and col.4, lines 1-30; discussing 
the method of claim 31, wherein obtaining the application-specific intrusion detection 
signature comprises: requesting the application-specific intrusion detection signature 
from a local signature repository in communication with a remote signature repository; 
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and receiving the application-specific intrusion detection signature from the local 
signature repository. 
As per claim 43: 

Flowers disclose the machine-readable medium embodying machine instructions 
for causing one or more processors to perform operations comprising: 

examining a set of instructions embodying an invoked application to identify the 
invoked application (col.3, lines 49-54 and col.7, lines 13-20) , wherein to examine the 
set of instructions comprises to apply a hash function to the set of instructions to 
generate a condensed representation and to compare the condensed representation 
with existing condensed representation for known applications ; 

obtaining application-specific intrusion criteria, the application-specific intrusion 
criteria including application-specific intrusion signatures and behavior criteria; and 
(col.6, lines 47-54 and col.8, lines 21-25) 

monitoring network communications for the invoked application for application- 
specific intrusion signatures and abnormal application behavior to detect an intrusion. 
(col.3, lines 45-62 and col.4, lines 4-15) 

Although, Flowers discloses operations to examine and monitor invoked 
applications but did not clearly discuss to examine a set of instructions and comprises to 
apply a hash function to the set of instructions to generate a condensed representation 
and to compare the condensed representation with existing condensed representation 
for known applications. 
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Naccache discloses the invention for monitoring the progress in execution of a 
series of instructions of a computer program to analyze and verify each of the 
instructions has indeed been loaded or executed to the processor (col. 3, lines 50-62 
and col. 8, lines 53-67). The monitoring device can be integrated into a programmed 
device which contains the program to be monitored or into a device for executing a 
program to be monitored (col. 6, lines 28-31). Naccache discloses the calculation 
operation can consist in applying a hash function, according to a technique known per 
se in the field of data enciphering, such as the SHA-1 hash function established by 
federal hash standard. In this case it is possible to effect the aforementioned internal 
change in the running of the monitoring method by cryptographically hashing all the 
operating codes (considered as numerical values) and the addresses executed since 
the last initialization carried out (col. 5, lines 44-52). Naccache further discloses hashing 
the instructions of the program and then compared with the referenced (hash) value 
which is to correspond to the expected value (col. 9, lines 23-67). 

Therefore, it is obvious to use the hashing function of Naccache to generate a 
condensed representation of instructions in the vulnerability detection system for 
invoked applications of Flowers as it is applying a known (hash) technique to a known 
device/method ready for improvement to compare and verify the condensed 
representation with existing condensed representation for known applications 
(Naccache - col.3, lines 50-67 and col.9, lines 23-67). 

As per claim 44: See Naccache on col.9, lines 37-67; discussing the machine- 
readable medium of claim 43, wherein examining a set of instructions embodying an 
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invoked application to identify the invoked application comprises: applying a hash 
function to the set of instructions to generate a condensed representation; and 
comparing the condensed representation with existing condensed representations for 
known applications. 

As per claim 45: See Flowers col. 6, lines 47-54 and col. 8, lines 21-25; discussing 
the machine-readable storage medium of claim 43, wherein network communications 
are monitored for application-specific intrusion signatures that correspond to the 
identified invoked application. 

As per claim 46: See Flowers on col.3, lines 50-55 and Naccache on col. 7, lines 30- 
35; discussing the machine-readable medium of claim 43, further comprising unloading 
the application-specific intrusion signatures corresponding to the identified invoked 
application when the identified invoked application is terminated. 
As per claim 47: See Flowers on col. 12, lines 50-57 and Naccache on col. 13, lines 
1 5-31 ; discussing the machine-readable medium of claim 43, further comprising 
tracking one or more characteristics of the network communications to identify 
application- specific abnormal communication behavior. 

As per claim 48: See Flowers on col.7, lines 11-26 and col. 12, lines 50-57 and 
Naccache on col. 13, lines 15-31; discussing the machine-readable medium of claim 47, 
wherein tracking one or more characteristics of the network communications comprises 
comparing the one or more characteristics with one or more configurable thresholds. 
As per claim 49: See Flowers on col.3, lines 45-62 and col.4, lines 4-15; discussing 
the machine-readable medium of claim 47, wherein monitoring network communications 



Application/ Control Number: 10/066,070 Page 16 

Art Unit: 2435 

comprises monitoring network communications in a network intrusion detection system 
component invoked with the invoked application. 

As per claim 50: See Flowers on col.7, lines 1 1-26; discussing the machine-readable 
medium of claim 49, wherein the network intrusion detection system component and the 
invoked application run within a single execution context. 

As per claim 51 : See Flowers on col.3, lines 45-55 and Naccache on col. 10, lines 
15-23; discussing the machine-readable storage medium of claim 43, further comprising 
operations to provide an application-specific remedy for a detected intrusion. 



Conclusion 

5. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Leynna T. Truvan whose telephone number is (571 ) 272-3851 . The 
examiner can normally be reached on Monday - Thursday (7:00 - 5:00PM) and telework on 
Wednesday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/L T. TV 

Examiner, Art Unit 2435 

/Kimyen Vu/ 
Supervisory Patent Examiner, Art Unit 2435 



